|Mysterious User Agent is random string , AQJPTSIP, e.g.|
Anybody know what kind of masking agent is being used and why?
In my logs there are a very small number of hits that record the UA as a random string of capital letters. UOPKUXXBTGH or KRCNONPATKW or something like that. Just 7 of these since 1/1/02, in fact.
The other strange thing is that except for two isolated requests of my default page, they are all hits for one particular page deep in my site; 5 times on separate days over a 12-day period. They didn't request any of the page's graphics. There is no referer.
The IPs are all from various ISPs in the US and Canada. The latest, which appeared once, is a Spanish telephone company
There's one IP with the the random string UA -- the last appearance, in fact, on April 17th -- that had appeared back in February using MSIE 5.01 and looking for our old publications page, and getting served instead our new one (which my server does automatically) -- yet again, they didn't request any of the page's graphics, yet did request the page's .js file.
Has anybody seen this and know what it is?
I'd start collecting the IPs and try to figure out the similarities. Odds are good that they are proxy servers, and that this in a single program hitting you via these proxies.
"Altavista and DIIbot use suspicious request methods to test 404 errors. These robots, and perhaps others, probably use this method in order to figure out what a server's 404 response is (a kind of "profile"), and assumes that it's the same for all 404 pages.
Altavista only started doing it this year (2002). They request the page: /kjhgdkjhf1goifj2lktjelj34knfhjguih8bbj/index.htm.
However, these requests are completely innocuous to Apache, and probably do not need to be blocked. "
Yes, I've seen those strange hits, too. I'd tracked them back to Altavista via the IP, and so I didn't worry about them -- plus therere are so few of them. Now I know what they are! Thanks!
As for the random user agent strings I first wrote of, my best guess is that it is either part of a research project or some kind of privacy software. It's not a bandwidth problem at all, just a curious phenomenon.
I also got similar random named user agents (UZWIKKDJYZNQ, HQYLPTAQR etc). Had a closer look at my logs and saw that they were only accessing certain files on my site (maybe 3 pages out of 25). The following user agents were also accessing ONLY these pages.
These user agents have been discussed previously in the following topic
The IP Address that this requests were coming from in my case
126.96.36.199 - sympatico.ca
188.8.131.52 - pacbell.net
184.108.40.206 - pacbell.net
220.127.116.11 - rr.com
18.104.22.168 - rr.com
22.214.171.124 - WIBAND.COM
126.96.36.199 - rr.com
188.8.131.52 - Rogers.com
184.108.40.206 - attbi.com
220.127.116.11 - cox.net
They seem to be coming from different ISPíS. My opinion is that they are spambots, trying to get email addresses?
Iím almost positive that they are related to Dsurfx and the other user agents. Can anyone else spot a relation in their logs between these?
I've had all these user agents coming from similar IP's, they only EVER visit default home pages and /guestbook/ default pages. Also recorded the random upper case agent coming from the same IP's after blocking *Surf* and *Browse* agents - definitely email harvesters IMHO, I have a trap out for them to try to verify.
Yeah ive noticed that they seem to add blank entries to guestbooks. I found an example on the web at [donotenter.com...]
Never added anything to mine like that - different field names at a guess?